POP and SMTP *can* use secured connections but it's not mandatory in the protocol and for all I know, gmail doesn't insist. I myself use Verizon, and they offer but do not require the use of secured connections (you configure your client for a different port number).

Well if a Chinese hacker had access to hotel Wi-Fi and the user was using an encrypted connection to get their email (SSL/TLS/HTTPS/VPN etc) they'd have seen nothing but gibberish. The email address would be unknown by the hacker. If standard (unencrypted) POP/SMTP was used they'd have seen the email addy and the password (as clear text). With the latter no "hacking attempts" would've been required--they'd simply log in.

In short it's probably coincidence.--Don't feed trolls--it only makes them grow!

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.--A government big enough to give you everything you want, is strong enough to take everything you have. -MLK

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.

https: protects against this--* seek help if having trouble coping--Standard disclaimers apply.--

On many sites, https is used just for the authentication, but no for the actual session, so many sites can have your sessions hijacked and your accounts hacked even if you used https to sign in.

Gmail will use https for the entire session, but as I was saying earlier is that when someone intercepts the connections for wifi connections, they can intercept and automatically re-issue certifications in the middle of your session. Your browser may flag something, but most people click by it and not think anything of it. Some browsers may not be set high enough to notice it, setting only an innocuous alert at the bottom of the screen, or not at all.

There are all sorts of other various methods as well. If you went to an http site that had you log in and redirected you to an https site, you could be redirected to login somewhere that issues its own cert and then captures your credentials.

This is an outdated example one of many various security flaws that have been discovered in SSL/TLS over the years and if any of the devices are running unpatched firmware, it's easier for an attacker to pop in the middle and hijack your session.--A government big enough to give you everything you want, is strong enough to take everything you have. -MLK

There's a program called SSLstrip that does exactly what I was talking about. Works for gmail as well as other sites.--A government big enough to give you everything you want, is strong enough to take everything you have. -MLK